def generateIOC(md5, confDict):
# Create the list for File Artefacts
fileIOC = []
fileIOC.append(('is','FileItem','FileItem/FileName','string',confDict["InstallName"]))
fileIOC.append(('contains','FileItem','FileItem/FilePath','string',confDict["InstallPath"]))
fileIOC.append(('is','FileItem','FileItem/Md5sum','md5',md5))
fileIOC.append(('is','ProcessItem','ProcessItem/HandleList/Handle/Name','string',confDict["Mutex"]))
# Create the list for Registry Artefacts
regIOC = []
regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'))
regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["ActiveXKey"]))
regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["HKLMValue"]))
# add each list to our master list
items = []
items.append(fileIOC)
items.append(regIOC)
domList = []
domains = confDict["Domains"].split("|")
for x in domains:
domain = x.split(":")[0]
domList.append(domain)
database.insertDomain(md5, domList)
for domain in domList:
if domain != '':
items.append([("contains", "Network", "Network/DNS", "string", domain)])
IOC = createIOC.main(items, 'PoisonIvy', md5)
database.insertIOC(md5, IOC)
def generateIOC(md5, config_dict):
netIOC = []
netIOC.append(("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]))
netIOC.append(("contains", "Network", "Network/DNS", "string", config_dict["Domain"]))
# add each list to our master list
items = []
items.append(netIOC)
IOC = createIOC.main(items, 'ShadowTech', md5)
database.insertIOC(md5, IOC)
def generateIOC(md5, config_dict):
netIOC = []
netIOC.append(("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]))
netIOC.append(("contains", "Network", "Network/DNS", "string", config_dict["Domain"]))
# add each list to our master list
items = []
items.append(netIOC)
IOC = createIOC.main(items, "ShadowTech", md5)
database.insertIOC(md5, IOC)
def generateIOC(md5, config_dict):
items = [
[
("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]),
("contains", "Network", "Network/DNS", "string", config_dict["Domain"]),
]
]
IOC = createIOC.main(items, "ShadowTech", md5)
database.insertIOC(md5, IOC)
def generateIOC(md5, confDict):
# Create the list for File Artefacts
fileIOC = []
fileIOC.append(('is', 'FileItem', 'FileItem/FileName', 'string',
confDict["InstallName"]))
fileIOC.append(('contains', 'FileItem', 'FileItem/FilePath', 'string',
confDict["InstallPath"]))
fileIOC.append(('is', 'FileItem', 'FileItem/Md5sum', 'md5', md5))
fileIOC.append(('is', 'ProcessItem', 'ProcessItem/HandleList/Handle/Name',
'string', confDict["Mutex"]))
# Create the list for Registry Artefacts
regIOC = []
regIOC.append((
'contains', 'RegistryItem', 'RegistryItem/Path', 'string',
'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
))
regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
confDict["ActiveXKey"]))
regIOC.append(
('contains', 'RegistryItem', 'RegistryItem/Path', 'string',
'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
confDict["HKLMValue"]))
# add each list to our master list
items = []
items.append(fileIOC)
items.append(regIOC)
domList = []
domains = confDict["Domains"].split("|")
for x in domains:
domain = x.split(":")[0]
domList.append(domain)
database.insertDomain(md5, domList)
for domain in domList:
if domain != '':
items.append([("contains", "Network", "Network/DNS", "string",
domain)])
IOC = createIOC.main(items, 'PoisonIvy', md5)
database.insertIOC(md5, IOC)
